to add a new content
Resource
10 Steps to Cyber Security

This guidance is designed to help organisations protect themselves in cyberspace and best practises for cyberspace security. It relays the task of defending your networks, systems and information into its essential components.

It is important to note, when dealing cyberspace protection, the organisation knows the kinds of cyber attacks it expects to understand what protection would be needed. 

Note: This high level guidance provides context on the 10 steps. Each step is also individually signposted on the National Standards platform.

 

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cloud Security Principles

Published by the National cyber security centre, this guidance document provides details and context on the following 14 cloud security principles.

1. Data in transit

2. Asset protection and resilience

3. Separation between users

4. Governance framework

5. Operational security

6. Personnel security

7. Secure development

8. Supply chain security

9. Secure user management

10. Identity and authentication

11. External interface protection

12. Secure service administration

13. Audit information for users

14. Secure use of the service

 

Published 17/11/2018
Authoring body: National Cyber Security Centre (NCSC)
Principles
Resource
Cyber Security: Asset management

Step 3 from the 10 steps to Cyber Security covers asset management, ensuring you know what data and systems you manage, and what business need they support.

Asset management encompasses the way you can establish and maintain the required knowledge of your assets. Over time, systems generally grow organically, and it can be hard to maintain an understanding of all the assets within your environment. Incidents can occur as the result of not fully understanding an environment, whether it is an unpatched service, an exposed cloud storage account or a mis-classified document. Ensuring you know about all of these assets is a fundamental precursor to being able to understand and address the resulting risks. Understanding when your systems will no longer be supported can help you to better plan for upgrades and replacements, to help avoid running vulnerable legacy systems.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Architecture and configuration

Step 4 from the 10 steps to Cyber Security covers how to design, build and maintain systems securely.

The technology and cyber security landscape is constantly evolving. To address this, organisations need to ensure that good cyber security is baked into their systems and services from the outset, and that those systems and services can be maintained and updated to adapt effectively to emerging threats and risks.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Incident management

Step 9 from the 10 steps to Cyber Security covers how to plan your response to cyber incidents in advance.

Incidents can have a huge impact on an organisation in terms of cost, productivity and reputation. However, good incident management will reduce the impact when they do happen. Being able to detect and quickly respond to incidents will help to prevent further damage, reducing the financial and operational impact. Managing the incident whilst in the media spotlight will reduce the reputational impact. Finally, applying what you’ve learned in the aftermath of an incident will mean you are better prepared for any future incidents.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Vulnerability management

Step 5 from the 10 steps to Cyber Security covers how to keep your systems protected throughout their lifecycle.

The majority of cyber security incidents are the result of attackers exploiting publicly disclosed vulnerabilities to gain access to systems and networks. Attackers will, often indiscriminately, seek to exploit vulnerabilities as soon as they have been disclosed. So it is important (and essential for any systems that are exploitable from the internet) to install security updates as soon as possible to protect your organisation. Some vulnerabilities may be harder to fix, and a good vulnerability management process will help you understand which ones are most serious and need addressing first.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Risk management

Step 1 from the 10 steps to Cyber Security covers the approach to risk management.

Taking risks is a natural part of doing business. Risk management informs decisions so that the right balance of threats and opportunities can be achieved to best deliver your business objectives. Risk management in the cyber security domain helps ensure that the technology, systems and information in your organisation are protected in the most appropriate way, and that resources are focussed on the things that matter most to your business. A good risk management approach will be embedded throughout your organisation and complement the way you manage other business risks.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Supply chain security

Step 10 from the 10 steps to Cyber Security covers how and why it is sensible to collaborate with your suppliers and partners

Most organisations rely upon suppliers to deliver products, systems, and services. An attack on your suppliers can be just as damaging to you as one that directly targets your own organisation. Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. The first step is to understand your supply chain, including commodity suppliers such cloud service providers and those suppliers you hold a bespoke contract with. Exercising influence where you can, and encouraging continuous improvement, will help improve security across your supply chain.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Engagement and training

Step 2 from the 10 steps to Cyber Security covers the engagement and training of members from your organisation.

People should be at the heart of any cyber security strategy. Good security takes into account the way people work in practice, and doesn't get in the way of people getting their jobs done. People can also be one of your most effective resources in preventing incidents (or detecting when one has occurred), provided they are properly engaged and there is a positive cyber security culture which encourages them to speak up. Supporting your staff to obtain the skills and knowledge required to work securely is often done through the means of awareness or training. This not only helps protect your organisation, but also demonstrates that you value your staff, and recognise their importance to the business.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Identity and access management

Step 6 from the 10 steps to Cyber Security covers how to control who and what can access your systems and data via identity and access management (IAM)

Access to data, systems and services need to be protected. Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out. You must choose appropriate methods to establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions. A good approach to identity and access management will make it hard for attackers to pretend they are legitimate, whilst keeping it as simple as possible for legitimate users to access what they need. 

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance